Bug#622146: nfs-kernel-server: error Encryption type not permitted

To: "Mc.Sim" <mc-sim85@ya.ru>, 622146@bugs.debian.org
Subject: Bug#622146: nfs-kernel-server: error Encryption type not permitted
From: Luk Claes <luk@debian.org>
Date: Mon, 14 Nov 2011 16:36:41 +0100
Message-id: <[🔎] 4EC13589.6020106@debian.org>
Reply-to: Luk Claes <luk@debian.org>, 622146@bugs.debian.org
In-reply-to: <[🔎] 20111114145704.4829.23854.reportbug@archiv.SAG.local>
References: <[🔎] 20111114145704.4829.23854.reportbug@archiv.SAG.local>

On 11/14/2011 04:57 PM, Mc.Sim wrote:

> Hello!

Hi

> I have Win2k8 R2 as a domain controller (as KDC for NFS).
> There is an NFS client on Debian wheezy: hostname - debian:

> I tried to uncomment
> #       default_tgs_enctypes = des3-hmac-sha1
> #       default_tkt_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des3-hmac-sha1
> and comment:
>         default_tgs_enctypes = des-cbc-crc
>         default_tkt_enctypes = des-cbc-crc
>         permitted_enctypes = des-cbc-crc

Why would that work without changing anything in your Kerberos keytabs?

> but always when trying to connect to the server,
> root@debian:~#  mount -vvv -t nfs4 -o sec=krb5 archiv:/nfs /mnt2

> And get the error in log on server:
> ARCHIV ~ # tailf /var/log/daemon.log
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:26:42 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:29:30 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:05 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted
> Nov 14 18:39:20 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - Encryption type not permitted

Expected when des3-hmac-sha1 is not in keytab.

> ==============================================
> In this case, the second mount on the client only after a servise nfs-common restart, because mount hangs and stops due to a timeout.
> When I comment on all the settings on the server and client:
> 
> #	allow_weak_crypto = true
> #        default_tgs_enctypes = des-cbc-crc
> #        default_tkt_enctypes = des-cbc-crc
> #        permitted_enctypes = des-cbc-crc
> #       default_tgs_enctypes = des3-hmac-sha1
> #       default_tkt_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des3-hmac-sha1
> #       permitted_enctypes = des-cbc-crc

> And I get message on server-log:
> 
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)
> Nov 14 18:50:23 archiv rpc.svcgssd[4812]: ERROR: GSS-API: error in handle_nullreq: gss_accept_sec_context(): GSS_S_FAILURE (Unspecified GSS failure.  Minor code may provide more information) - No supported encryption types (config file error?)
> 
> Help me, please for this problem.

This will only work if you have other possibilities in the Kerberos keytab.

> p.s. On the client (hostname debian) as an NFS server is installed and if I run:
> root@debian:~# grep -v ^# /etc/exports
> /nfs        gss/krb5(rw,sync,fsid=0,crossmnt,no_subtree_check)
> root@debian:~# mount -v -t nfs4 -o sec=krb5 debian:/ /mnt
> mount.nfs4: timeout set for Mon Nov 14 18:58:10 2011
> mount.nfs4: trying text-based options 'sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50'
> debian:/ on /mnt type nfs4 (rw,sec=krb5)
> root@debian:~# mount | grep nfs
> nfsd on /proc/fs/nfsd type nfsd (rw)
> rpc_pipefs on /var/lib/nfs/rpc_pipefs type rpc_pipefs (rw)
> debian:/ on /mnt type nfs4 (rw,sec=krb5,addr=10.0.0.50,clientaddr=10.0.0.50)

So it worked, I guess that's the initial scenario where you are using
des-cbc-crc?

I myself have little to no experience with Kerberos, but I would try
klist to see what's in your keytabs (/etc/krb5.keytab) and related tools
to add entries to the keytab when needed. This does not look like an NFS
problem to me or am I mistaken?

Cheers

Luk

Reply to:

Follow-Ups:
- Bug#622146: nfs-kernel-server: error Encryption type not permitted
  - From: "Kramarenko A. Maxim" <mc-sim85@ya.ru>

References:
- Bug#622146: nfs-kernel-server: error Encryption type not permitted
  - From: "Mc.Sim" <mc-sim85@ya.ru>

Prev by Date: Bug#562981: rt2860-source: connection drops - debian kernel 2.6.32
Next by Date: Bug#622146: nfs-kernel-server: error Encryption type not permitted
Previous by thread: Bug#622146: nfs-kernel-server: error Encryption type not permitted
Next by thread: Bug#622146: nfs-kernel-server: error Encryption type not permitted
Index(es):
- Date
- Thread